Welcome back to this week's Security Bulletin!
Have you ever used incognito mode in browsers? Of course, you have because everybody wants to keep something secret. Well, there is an allegation against Xiaomi that it is spying on online activities of users in incognito mode.
The search engine queries, folders, and screens swiped by users are sent to company servers using pre-installed browsers in Xiaomi phones. The data is transferred to servers located in Russia and China, which is rented from Alibaba, and these data are used to understand the user's behavior.
The Xiaomi company started rolling out an update to its Mi Browser/Mi Browser Pro (v12.1.4) and Mint Browser (v3.4.3) after concerns were raised over its practice of transmitting web browsing histories and device metadata to the company servers. New settings in privacy allow users to disable data collection in incognito mode, but this feature is enabled by default.
SaltStack is an infrastructure automation software used by IT, network, and security operations teams to drive security and reliability for digital business. Researchers found two critical security vulnerabilities that could allow attackers to execute codes in remote servers if exploited.
Attackers have already started hacking campaign to breach servers of LineageOS, Ghost, and DigiCert using this security flaw. The vulnerabilities are tracked as CVE IDs CVE-2020-11651, and CVE-2020-11652 and the description is below:
An issue was discovered in 3000 before 3000.2, and SaltStack Salt before 2019.2.4. The salt-master process ClearFuncs class does not correctly validate method calls. This issue allows a remote user to access different methods to retrieve user tokens from the salt-master and run arbitrary commands on salt minions without authentication.
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.
SlatStack fixes the issues in a release, and users are advised to update software packages to this latest version.